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{54) Digital signature protocol with reduced bandwidth 

(57) This invention discloses a method of authenticating a signature of a message m comprising the steps of 
determining a hash h(m) of the message by application of a hash function and deriving therefrom a first 
signature component. The signor then computes a function mathematically related to the hash of the message 
and applies the function to the message to obtain a second signature component bound to the signatory. The 
signature components are forwarded to a recipient. The recipient then recovers from one of the signature 
components a message m' and computing a value of m' by applying the hash function and determining if the 
value of m' and the hash h<m) embodied in the first signature component are identical whereby identity 
indicates an authentic signature of the message. 
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DIGITAL SIGNATURE PROTOCOL WITH REDUCED BANDWIDTH 

A digital signature is a piece of information which binds the creator to a message. 
Digital signature algorithms (or signature creation) are methods to construct a signature. 
Verification algorithms are methods to check or verify the authenticity of a signature. A 
digital signature scheme or mechanism consists of a signature creation algorithm and a 
signature verification algorithm. If the verification algorithm requires the message as an 
input, the digital signature is called a digital signature with appendix. If it does not 
require the message, it is called a digital signature with message recovery. 

The most well known example of a digital signature scheme comes from the RS A 
public-key cryptosystem. This gives a digital signature with message recovery. Nyberg 
and Rueppel recently have shown that the class of digital signatures commonly referred 
to as EI Gamal-like scheme can be modified to give the message recovery property. 

One of the drawbacks to all of the known digital signature schemes with message 
recovery is that the message must contain sufficient redundancy to avoid an existential 
forgery attack. For example, ISO/EC 9796 is an international standard whose purpose is 
to prescribe how messages should be formed before being signed by the RS A technique. 
It allows at most half of the bits in the messages to be information bits; the rest are 
reserved for redundancy. Accordingly, an increased bandwidth is required to process the 
messages. 

It is an object of the present invention to provide a signature scheme in which the 
required redundancy is reduced- 

In general terms, the present invention provides a signature component for a 
message which utilises a hash of the message. The message is mathematically combined 
with the private key of the signatory and so it can be recovered using the public key of the 
signatory. The recipient receives the hash of message and can compare it to the 
corresponding hash of the recovered message to authenticate the signature. 

More particularly, the present invention provides a method of authenticating a 
signature of a message m comprising the steps of 

(i) determining a hash h(m) of s* * message, by application of a hash function 
and deriving therefrom a first signature component, 



(ii) computing a function mathematically related to said hash of said message; 

(iii) applying said function to said message to obtain a second signature 
component, bound to said signatory; 

(iv) forwarding to a recipient said signature components; 

(v) recovering from said second component a message m 5 , 

(vi) computing a hash value of m* by applying said hash function; and 

(vii) determining if said hash value of nr and said hash h(m) embodied in said 
first signature component are identical whereby identity indicates an 
authentic signature of said message. 

Such new classes of digital signatures provide message recovery and having the 
novel feature that minimal redundancy is required in the message to be signed. The 
bandwidth saving could be very useful in some situations. For example, for a trusted 
third party (TIP) who creates certificates for entities in a network, bandwidth 
requirements are a concern. A TIP using a RSA scheme with modulus size 1024 bits to 
sign messages in the order of 1000 bits will require a bandwidth in excess of 2000 bits. 
One embodiment described below gives a scheme which would require only a small 
number of bits in excess of this message size. 

Embodiments of the invention will now be described by way of example only 
with reference to the accompanying drawings, in which 

Figure 1 is a schematic representation of a data communication system. 

Referring therefore to Figure 1, a pair of correspondents, 10,12, denoted as 
correspondent A and correspondent B, exchange information over a communication 
channel 14. A cryptographic. unit 16,18, is interposed between each of the correspondents 
10,12 and the channel 14. Each of the cryptographic units 16,18 can take a message 
carried between each unit 16,18 and its respective correspondent 10,12 and generate a 
signature associated with the message and the correspondent to be carried on the channel 
14. The signature may be generated in a number of ways depending on the underlying 
cryptographic principles utilised. 



L Methods Based on Integer Factorization 

Let p and q be prime numbers and n—pq such that the integer factorzation 
problem for n is intractable. The method to be described requires a one-way 
cryptographic hash function h which maps bit strings of arbitrary length to bit string of 
length f. Typically / will be 64 or 128 bits. The message to be signed may be thought of 
as integers in Z n . 

Algorithm 1. Signature Generation. 

Let Entity A have the public-key n and the private key X(n) *= lcm(p - \,q - 1). To 

sign a message m € Z\ entity A does the following: 

(a) Treat m as a bit string and compute the hash value e m = h(m). 

(b) Use the extended Euclidean algorithmic compute an integer d m such that 
drrfim ~ 1 (mod X(n)), where the bit string e m is now considered to be the binary 
representation of an integer. 

(c) Compute s m = m 4m (mod n). 

(d) The signature for message m is (s m> e m ). 

Algorithm 2. Signature Verification. 

An entity B can verify the signature (s m e m ) by doing the following: 

(a) Looks up entity A's public key n. 

(b) Computes m'=j*- (mod)* 

(c) Verifies thai h (m ') « e m . 

(d) If the verification process in (c) is successful, then m ' is the recovered 
message. 

For the signature algorithm to work, it must be true that the gcd {e m \(n)) = 1. 
This can be guaranteed by the following simple modification. Let c be a string of / bits. 
Instead of using h(m), use e m = h(m)\\c where || means concatenation and c is chosen so 



that the integer represented by e m is relatively prime to X(n) (ie. gcd {emM n )) = 1 )• A 
preferred way to do this would be to select the primes p and q so thai p - 1 and q - 1 have 
no smal l odd prime factors and c is selected as bit 1 (i.e. / = 1). It then follows that e m = 
h(m) 1 1c is odd and that the probability that gcd (e m x( n )) = 1 is ve ry high. For the 
verification algorithm in step (c), instead of verifying thai if h(m ') = e m , B verifies that 
h(m ') is equal to the first / bits of the e m . 

The signature for message m contains (t + iog^) bits or (/ + / + \og 2 n) bits if one 
uses the modification described above. 

The signature mechanism does not have the homomorphism property that RSA 
signature has. Since when two messages m and m ' have the same hash value, the product 
of m and m ' may not have the same hash value. Thus existential forgery by multiplying 
signatures will not work in general, since the probability that h(m) = h(m % ) — h(mm ')■ is 
small. 

The probability that an adversary can guess a pair (5 TO e /w ) which will be a 

signature of some m is Signature generation for the new method is only slightly 

more work (application of the Euclidean algorithm and the hash function) than for an 
RSA signature generation on the same modulus. Signature verification is more work (but 
not significantly more) than an RSA verification provided the RSA public exponent is 
small; otherwise, the new method is superior. 

A further modification of the integer factorization scheme is a modification of the 
RSA signature scheme. Let Entity A have the public key n, e and the private key d where 
ed s 1 (mod n). 

Algorithm 3. Signature Generation. 

To sign a message 772, the entity A should do the following: 

(a) Treat rn as a bit string and compute the hash value h(m) where h(m) can be 
any one way function- 

(b) Compute s m = (mh(m))d (mod n). 



(c) The signature for message m is (s m . h(m)J, 



Algorithm 4. Signature Verification. 

An entity B can verify the signature (s m ,h(m)) by doing the following: 

(a) Looks up entity A's public key e, n. 

(b) Computes m ' = sZ (h(m))~ J (mod n). 

(c) Verifies that h(m ? = h(m). 

(d) If the verification process in (c) is successful, then m ' is the recovered 
message 

2. Methods Based on Rabin Signature Scheme 

An alternative signature scheme is that known as Rabin which gets its security 
from the difficulty of findin g square roots, modulo a composite number. 

Let n=pq be a product of two primes where p = 3 (mod 8) and js7 (mod 8). 
Let/ = ±lcm{p-l,q- 1} = i^zil m It ^ easy to show that m t « 1 (mod n\ provided m 
is a quadratic residue modulo n and m* = -1 (mod n\ provided m is a quadratic non- 
residue modulo p and modulo g respectively. LtU m = (f) be the Jacobi symbol, Q n be 
The set of quadratic residues modulo n, and w is invertable mod n and we have the 
following facts: 

Fact 1 . ifJ m = h then m' = 1 ( mo d n) if w e & 

-1 (mod/:) if m € Q n . 
Fact 2. if y m = -l,then7^ = 1. Fact 3. let e be even and d satisfy 

2 

that ed s 1 (mod /). UJ m = 1, then 



m (mod n) if m e g« 
-m (mod n)\l m&Qn. 



Fact 1 and Fact 2 are trivial. For Fact 3, we can find an odd integer z such that 
e d = 1 + xt. Hence, 



m ed = m''" = (mtjXm s 1 -m (mod n) ifme On 

i-iytm (mod n)i{ meOn. 



Algorithm 5. Signature Generation for Modified Rabin Scheme. 

Let Entity A have the public-key n and the private key /. To sign a message m < 
L^-l entity A should do the following: 

(a) Treat m as a bit string and compute the hash value h(m)\ then set e m - 
4h(m)+2. 

(b) Use the extended Euclidean algorithm to compute an integer d m such that 
d m?m = 1 (™od t), where the bit string e m is now considered to be the binary 
representation of an integer. 

(c) Compute J^js ( is!) and set an integer Mby following rule: 

M=Sm+2ifJ tm ^= i. 
+1*^.-1. 

(d) Compute j m = M J - (mod «). 

(e) The signature for message m is (s m , e m ). 

Algorithm 6. Signature Verification for Proposed Rabin Scheme. 

An entity B can verify the signature (s m ,e m ) by doing the following: 

(a) Looks up entity A's public key n. 

(b) Computes M = (modn), where 0 <M <n. 

(c) Takes m ' by following rule: 
m'= ^,ifW«2 (mod 4). 
m'=^f=i,ifAf S 3 (mod4) . 



m'=^,ifA/'=l (mod 4). 
m ' = «^ , if A/' = 0 (mod 4). 

(d) Computes h(m % ) and verifies that 4h(m ') + 2 = e m . 

(e) If the verification process in (d) is successful then m ' is the recovered 
message. 

3. Methods Based on Discrete Log Problem 

A further class of signature schemes is based on the intractability of the discrete 
log problem of which the Nybcrg-Rueppel method is an example. 

As with the RSA scheme, the Nyberg-Rueppel method of digital signature 
suffers the drawback that message redundancy is required. The method described below 
overcomes this problem. 

For the sake of simplicity only, one of the various possibilities will be discussed 
in detail, and although the method is applicable to any finite group, it will only be 
described in Z*. 

Let p and q be primes such that p ]q - 1 and the discrete logarithm problem is 
iniractable in Z\ . Let a be a generator for the cyclic subgroup G of order q in Z * and let 
A be a cryptographic hash function as described above. 

Entity A selects a private key a which is an integer selected at random from 
OA—,?- 1} and computes the public key J3 = a\ 

Algorithm 7. Signature Generation. 

To sign a message m € Zp , entity A should do the following: 

(a) Compute h(m). 

(b) Select a random integer k € {lA*-*<7 - 1}. 

(c) Compute r = ma k (mod p). 

(d) Compute s m - arh(m)+ k mod q. 

(e) The signature for message m is (s^rMm)). 



Algorithm 8. Signature verification- 
Entity B can verify the signature (s mt r,h(m)) on m by doing the following: 

(a) Looks up A's public key p. 

(b) Computes v, = ^ m (mod p). 

(c) Computes v 2 = p-rh(m) ( mcx j p y 

(d) Computes w = v { v 2 (mod 

(e) Computes m ' = rw l (mod 

(f) Computes h(m ') and verifies that h(m 'J = 

(g) The recovered message ism' 

Signature generation using the method of algorithm 7 and 8 is almost as efficient 
as the original Nybcrg-Rueppel scheme except for the computation of the h**h function. 

Similarly, signature verification is almost as efficient as ori ginal Nyberg-Rueppel 
scheme except for the computation of the product rh(m) mod q and the computation of 
the hash value h(m 

The Nyberg-Rueppel scheme can not be simply modified to give the same 
results. For example, sending the hash of the message docs not preclude an existential 
forgery attack. Other Nyberg-Rueppel like schemes can be si milar ly modified in 
accordance with the methods of this invention. Alternatively, the methods of the present 
invention may also be applied to elliptic curves, for example, a Nyberg-Rueppel scheme 
that may be applied to elliptic curves is described below. 

Let the curve bey 2 + xy = *3 + cor + b with large prime order n and P be a 
point on the cun'e having x and y coordinates . Also let A be a cryptographic hash 
function as described earlier. 

Algorithm 9. Signature Generation 

Entity A selects a private key d which is an integer selected at random over {1,2, 
. . .n - 1 } and computes the public key Q = dp. To sign a message m where !<«<«, 



c 

9 

entity A should do the following: 



(a) 


Compute h(m). 


(b) 


Select a random integer k e {1,2,.. jj - 1} . 


(c) 


Compute kP and take x as the x- co-ordinate of the point kP. 


(d) 


Compute r - m + x (mod n). 


(e) 


Compute s m = drh(m) + k mod n. 


CO 


The signature for the message is (s m . r, h(m)). 



Algorithm 10. Signature Verification 

10 Entity B can verify the signature (s m r. h(m)) on m by doing the following: 

(a) Look-up A's public key O. 

(b) Compute s m P. 

(c) Compute (-rh(m))Q. 

(d) Compute T = s m P + (-rh(m))Q and take x' as the x- coordinate of the 

15 point 

(e) Compute m' = r -x' (mod n). ..- 

(f) Compute and verify that h(m') = h(m). 

(g) The recovered message is m'. 



While the invention has been described in connection with a specific 
embodiment thereof and in a specific use, various modifications thereof will occur to 
those skilled in the art without departing from the spirit of the invention. 

The terms and expressions which have been employed in the specification are 
used as terms of description and not of limitations, there is no intention in the use of such 
terms and expressions to exclude any equivalents of the features-shown and described or 



portions thereof, but it is recognized that various modifications are possible within the 
scope of the claims. 



CLAIMS 

L A method of authenticating a signature of a message m comprising the steps of: 

a) determining a representation h(m) of said message by application of a one- 
way function and deriving therefrom a first signature component, 

b) computing a function mathematically related to said representation h(m) of 
said message, 

c) applying said function to said message to obtain a second signature 
component, bound to said signatory, 

d) forwarding to a recipient said signature components, 

e) recovering from said second component a message m\ 

f) computing a value of m' by applying said one-way function, and 

g) determining if said value of m' and said representation b(m) embodied in said 
first signature component are identical whereby identity indicates an authentic 
signature of said message. 

2. A method as defined in claim 1 , said one-way function being a ayto graphic bash 
function. 

5. A method as defined in claim 2, said hash function being a SHA-I hash function. 

4. A method of authenticating a signature of a message m comprising the steps of: 

a) dete rmining a hash h(m) of said message by application of a hash function and 
deriving therefrom a first signature component 

b) computing a function d m mathematically related to said hash of said message 
such that e^ = 1 mod(X(*)), 

c) applying said function d„ to said message to obtain a second signature 
component S 0 , bound to said signatory such that S m = m K mod(A(n)) , 

d) forwarding to a recipient said signature components (e m S n]9 

e) recovering from said second component S a a message nT where S m * m = m , 
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f) computing a hash value of m' by applying said hash function, and 

g) determining if said hash value of m" and said hash h(m) embodied in said first 
signature component are identical whereby identity indicates an authentic 
signature of said message. 

5. A method of authenticating a signature of a message m comprising the steps of: 

a) determining a hash h(m) of said message by application of a hash function and 
deriving therefrom a first signature component, 

b) selecting a random integer k € {1,2, ... q-1}, 

c) computing a third signature component r such that r = ma k (mod p) , where a 
is a generator for a cyclic group G of order q in 2\ and wherein q divides j>1 , 

d) computing a second signature s^ component mathematically related to said 
hash h(m) of said message, such that s„ = arh(m) + k mod q, a being a private 
key of said signatory, 

e) forwarding to a recipient said signature components, 

f) recovering from said second and third signature components a message xn\ 

g) computing a value of m* by applying said hash function, and 

h) determining if said value of m' and said representation h(m) embodied in said 
first si gnag e component are identical whereby identity indicates an authentic 
signature of said message. 

>. A method of authenticating a signature of a message m comprising the steps of: 

a) determining a hash h(m) of said message by application of a hash function and 
deriving therefrom a first signature component, 

b) selecting a random integer k € {1,2, ... q-1}, 

c) computing a third signature component r such that r = m + x(mod n) , where x 
is a coordinate of a point kP on an elliptic curve defined by 

y + xy = x 2 +ax 2 +6 ofordern, 
i) computing a second signature s m component mathematically related to said 
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hash h(m) of said message, such that s m = drh(rn) + k mod q, d being a private 
key of said signatory, 
j) forwarding to a recipient said signature components, 
k) recovering from said second and third signature components a message m\ 
5 I) computing a value of m' by applying said hash function, and 

m) determining if said value of m' and said representation h(m) embodied in said 
first signature component are identical whereby identity indicates an authentic 
signature of said message. 

A computer readable medium whose contents cause a computer system to generate a 
signature of a message m, the computer system having a signature generation 
program, by performing the steps of: 

a) dete rmining a representation h(m) of said message by application of a one- 
way function and deriving therefrom a first signature component, 

b) computing a function mathematically related to said representation h(m) of 
said message, 

c) applying said function to said message to obtain a second signature 
component, bound to said signatory, 

d) forwarding to a recipient said signature components, whereby said signature 
components include said message and a message dependant component. 

8. A computer readable medium as defined in claim 7, including a signature verification 
program. 

9. A computer readable medium as defined in claim 8, said signature verification 
program including the steps of: 

a) recovering from said second component a message rn\ 

b) computing a value of m' by applying said one-way function, and 

c ) determining if said value of m* and said representation h(m) embodied in said 
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first signature component are identical whereby identity indicates an authentic 
signature of said message. 

10. A method of authenticating a signature of a message m, substantially a 
hereinbefore described with reference to the accompanying drawings. 



11. A computer readable medium, substantially as hereinbefore 
with reference to the accompanying drawings. 



Application No: GB 97098 16.4 
Claims searched: 1-11 



Examiner: Stephen Brown 

Date of search: 13 August 1997 



Patents Act 1977 

Search Report under Section 17 

Databases searched: 

UK Patent Office collections, including GB, EP, WO & US patent specifications, in: 
UK CI (Ed.O): H4P (PDCSA, PDCSC) 
Int CI (Ed.6): H04L: 9/30, 9/32. 
Other: Online: WPI 



Doc um ents considered to be relevant: 



Category 


Identity of document and relevant passage j 


Relevant 
to claims 


A 


EP 0 639 907 Al (R3 Security) See especially column 5, line 54, to 






column 6, line 25. 




A 


EP 0 214 609 A2 (Hitachi) See especially column 5, lines 5-25. 




A 


US 5 208 858 (Siemens) See especially figure 1 . 





X Document indicating lack of novelry or inventive step A 
Y Document indicating lack of inventive step if combined P 
with one or more other documents of same category. 

E 

& Member of the same patent family 



Document indicating technological background and/or state of the art. 
Document published on or after me declared priority date but before 
the filing date of this invention. 

Patent document published on or after, but with priority date earlier 
than, the filing date of this application. 



An Executive Agency of the Department of Trade and Industry 



THIS PAGE BUNK iusptu, 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 



Defective images within this document are accurate representations of the original 
documents submitted by the applicant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SIDES 



□ BLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

□ LINES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: 

IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



BEST AVAILABLE IMAGES 



FADED TEXT OR DRAWING 



THIS PAGE BLANK ok™ 



